------------------------------------------------------------------------ BCSA 014 Badly Coded, Inc. Security Advisory March 11th, 2019 ------------------------------------------------------------------------ BCSA-014: Command in -t option in BCMTA 1.1 allows root execution Affected versions: 1.1 and earlier Fixed versions: 1.2 and later Versions of BCMTA through version 1.1 contained a feature that allowed commands to be specified in a user's .forward file to be executed when messages were delivered. However because of a coding mistake such a program could also be specified with the -t command-line option, and in that case the program would run as root, allowing local privilege escalation. In our internal discussions about this feature our engineers have concluded that it will be challenging to support this feature securely, so for version 1.2 we have disabled this feature entirely. It may be re-introduced in a future version after we have developed more complete security checking for it. We would like to acknowledge a number of students from the University of Minnesota's Computer Science and Engineering 5271 course who reported this vulnerability. All BCMTA users are recommended to upgrade at their earliest convenience.